Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.This involves creating a "secure" checkbox on the site form that will get passed to the backend so that the site gets HTTPS support (and only that). That's the first step in #394452: Full SSL support.
The vhost configuration would look something like this:
<VirtualHost *:80>
DocumentRoot /var/aegir/drupal-5.18-aegir
ServerName aegir.koumbit.net
Redirect / https://aegir.koumbit.net/
</VirtualHost>
<VirtualHost *:443>
SSLEngine On
ServerAdmin webmaster@localhost
ServerName aegir.koumbit.net
DocumentRoot /var/aegir/drupal-5.18-aegir
php_value session.cookie_secure 1
# Extra configuration from modules:
# Error handler for Drupal > 4.6.7
<Directory "/var/aegir/drupal-5.18-aegir/sites/default/files">
SetHandler This_is_a_Drupal_security_line_do_not_remove
</Directory>
</VirtualHost>
... so this will probably require another template. This is an otherwise pretty simple task: no certificate management and such.
This is just a matter of implementing a pre_task() hook in a new hosting_ssl module that will form_alter the site form and pass the 'ssl' flag in the backend. In provision, we should start a new provision_ssl module that will provide the new template, collect that ssl flag and override the site template if necessary, then write the ssl flag to the drushrc (see how aliases/redirection does it in #535098: domain redirection ).
Comments
Comment #1
anarcat commentedtagging
Comment #2
anarcat commentedThis will need to reuse some code from #535098: domain redirection. Maybe this depends on #541754: abstract away vhost engine?
Comment #3
anarcat commentedThis is now very close: we just need to add a SSLrequire or similar directive to the vhost now that the ports stuff has hit the tree. It already provides an "ssl" switch on the frontend.
Comment #4
anarcat commentedI committed a first pass. You need to have the SSL certificates defined outside of the configuration file, but it works generally well. Once you choose port 443 (ssl), everything is automatic.
Here's the config I have in /etc/apache2/conf.d/aegir:
... which means everything is under the same certificate for now. The fix to that is #537016: simple certificate management.
It does *not* yet provide a http -> https redirection, which may be a problem, especially since the :80 vhost would then be up for grabs (not good: site_exists should check for more), but that's a frontend issue. Redirection can be completed once we have #541754: abstract away vhost engine.
I think our first milestone is crossed: we can create SSL vhosts.
Comment #5
anarcat commentedHere's the frontend issue with ports: #570980: allow vhosts of the same name on a different port.